research ethics procedures - hw.ac.uk · research ethics approval is essentially a matter devolved...
TRANSCRIPT
Procedures (v1.0) University Research Ethics Procedures
Procedures relating to: University Research Ethics Policy Approving authority: Senate Consultation via: University Committee for Research and Innovation University Research Ethics Committee Approval date: 31 August 2018 Effective date: 31 August 2018 Review period: Annually from date of approval Responsible Executive Secretary of the University Responsible Office: Research and Enterprise Services
HERIOT-WATT UNIVERSITY
RESEARCH ETHICS PROCEDURES
CONTENT
Section Page
1 Introduction
3
2 Who should apply for Research Ethics approval for projects 3
3 Research ethics procedures 5
4 Different levels of research ethics committees 5
5 Applications to School research ethics committees 5
6 Escalation of a project proposal from the School to University
Research Ethics Committee
6
7 Training 7
8 Related policies, procedures and further reference 7
9 Further help and advice 7
10 Definitions 7
11 Policy version and history 7
Appendix 1 An overview of research ethics approval process 8
Appendix 2 Delegated authority of the University Committee for Research
and Innovation
9
Appendix 3 Terms of Reference for School research ethics committees
10
Appendix 4 Template School research ethics application form including
Data Protection Impact Assessment Screening Questions
11
Appendix 5
Information Risk Management Checklist
16
Heriot-Watt University’s Procedures: Research Ethics (v. 1.0)
Version 1.0 : 31 August 2018 Author: University Research Ethics Committee
3
1. INTRODUCTION
These Procedures should be used in conjunction with the University Research Ethics Policy, which sets out a general framework for ethical conduct in relation to research activity at Heriot-Watt University (henceforth, the University).
These Procedures (henceforth, the Procedures) provide a framework for School research ethics practice at the University, including the Animal Welfare and Ethical Review Committee. The Procedures will be adopted by School research ethics committees.
2. WHO SHOULD APPLY FOR ETHICAL APPROVAL FOR PROJECTS
2.1 2.2
All Staff and Students undertaking a research project(s) should apply for ethical approval for their study/project(s). WHEN SHOULD ETHICAL APPROVAL BE SOUGHT? Short staff-led research projects of less than six months duration require ethical approval before the study commences. For staff-led projects lasting greater than six months, ethical clearance is sufficient at the time of commencing the project. However, during longer-term projects, separate ethical approval may be required for individual studies that come within the umbrella of a larger project. The responsibility of gaining ethical approval in all such instances lies with the Principal Investigator. For PhD students, it is the responsibility of the supervisor to make sure ethical approval is attained once the overall concept, goals and methodology of the project have been agreed. Undergraduate and taught Postgraduate students require ethical approval before the study commences. To comply with privacy laws, the University is required to embed data protection by design and default into all research activities involving personal data. All research proposals involving human participants or use of personal data obtained from the University or third parties need to undergo screening as part of the research ethics approval process. This to determine whether a full data protection impact assessment is required and identify proportionate organisational and technical measures to protect the data. Please note: Ethical approval also needs to be sought for the reuse of personal data previously obtained during another research project. A failure to submit research projects for ethical approval may be considered to be academic misconduct (see Section 9 in the University Research Ethics Policy). Appendix 1 details the research approval process. EXTERNALLY FUNDED RESEARCH Staff undertaking externally funded research should complete all ethics-related prompts on Worktribe and follow any ensuing instructions from Worktribe research ethics approvers. Please note: blanket approval should not be assumed as a consequence of using Worktribe, i.e. your study/project is likely to change once
Heriot-Watt University’s Procedures: Research Ethics (v. 1.0)
Version 1.0 : 31 August 2018 Author: University Research Ethics Committee
4
funding has been secured, and/or, your funding application may consist of several projects, each one possibly requiring individual ethical consideration and approval. If in any doubt, researchers should check with their School Research Ethics Committee once funding and research projects have been fully detailed.
3. RESEARCH ETHICS PROCEDURES
3.1 SCOPE
The Research Ethics Procedures: a. provide a framework for the conduct of ethical procedures for School committees; b. sit within the broader framework of research integrity and values of the University; c. conform with all related legislation, e.g. Human Rights Act 1998, UK Data
Protection Act 2018, European Union General Data Protection Regulation (GDPR);Human Tissues Act 2004, Equality Act 2010, Animals (Scientific Procedures) Act 1986, Genetically Modified Organisms (Contained Use) Regulations 2014,
d. are consistent with research ethics procedures and systems of key external institutions, e.g. professional associations, research councils, the NHS and local authorities;
e. conform with the fundamentals of academic freedom; and, f. cover all forms of academic research, as well as situations involving the
development and interpretation of existing knowledge within a professional setting, consultancy work and professional practice.
3.2 PURPOSE OF THE PROCEDURES
The purpose of these Procedures are to:
a. provide a range of recommended guidelines to help inform committees of good
research ethics practice; b. harmonise research ethics procedures across the University; c. complement the research ethics procedures of key external/international
institutions, e.g. professional associations, research councils, the NHS and local authorities; and
d. reinforce how research ethics link with the University's Strategic Plan, in that shared good practice in this aspect of research contributes to the aim of the University of becoming a world leader in a wide-range of academic disciplines.
The Procedures should also be used in conjunction with the University Research Ethics Policy. For an overview of the research approval process see Appendix 1.
4. DIFFERENT LEVELS OF RESEARCH ETHICS COMMITTEES See Appendix 2 for the delegated authority for the following committees:
Heriot-Watt University’s Procedures: Research Ethics (v. 1.0)
Version 1.0 : 31 August 2018 Author: University Research Ethics Committee
5
4.1 UNIVERSITY RESEARCH ETHICS COMMITTEE (UREC) UREC differs from School research ethics committees. The purpose of UREC is to maintain oversight of ethical matters in relation to the University’s research and innovation activities. UREC does not, except in very unusual circumstances, carry out research ethics checks on projects. See Section 6 for further information. School research ethics committees sit under and feed into UREC via a nominated representative of each, typically the Chair of the committee. UREC is available to be consulted on matters unresolvable or beyond the expertise of the School committees.
4.2 SCHOOL RESEARCH ETHICS COMMITTEES
All Schools are expected to have a research ethics committee. The principle purposes of School Research Ethics Committees are to: a. oversee the governance of research ethics according to local and specific areas of
research; and, b. establish and operate ethical review procedures for local and specialised areas of
research. See Appendix 3 for the terms of reference for School committees.
4.3 ANIMAL WELFARE AND ETHICAL REVIEW COMMITTEE
The principle purposes of the Animal Welfare and Ethical Review Committee
(AWERC) are to: a. oversee the use of animals in research and teaching; b. approve and monitor the use and supply of animals for these purposes; and c. ensure all activities they review comply with relevant animal research legislation. The AWERC (as depicted in Appendix 2) feeds into UREC in a similar manner to School research ethics committees. Note: No animal research or teaching may be carried out without the approval of the Animal Welfare and Ethical Review Committee (see Appendix 1 for more details).
5. APPLICATIONS TO SCHOOL RESEARCH ETHICS COMMITTEES
Committees should use standard forms, approved by UREC, for applications to obtain research ethics approval. Such forms should be informed by the University Research Ethics Policy. These may be shorter in some instances (e.g. research not involving human or human participants) and include further sections related to local requirements. Under the GDPR, the University must embed data protection by design and default into all research activities involving personal data. Proposed projects that present a potentially high risk to privacy require a data protection impact assessment (DPIA) to be completed, and measures to mitigate their risks to be in place, before the activity can begin. The ethics approval recommendations in Appendix 4 embed the matters
Heriot-Watt University’s Procedures: Research Ethics (v. 1.0)
Version 1.0 : 31 August 2018 Author: University Research Ethics Committee
6
that need to be considered for all projects involving personal data. These include screening questions to determine whether a full DPIA is required. See Appendix 4 for suggestions for a template research ethics approval form/process, including Data Protection Impact Assessment screening questions. Also see Appendix 1 for further details of the research ethics approval process. Notes: Committees should stipulate a timeframe by which researchers can receive feedback on their applications. All applications need to be formally and suitably recorded and stored securely, with the completed forms and supporting documents, by the Committee in line with the University recommendations for research records retention. For research involving personal data the application form and supporting documents, such as privacy notices and consent forms, should form part of the records of the research processing activities and need to be kept for as long as the personal data to which they refer is held in an identifiable form.
6. ESCALATION OF PROJECT PROPOSAL FROM SCHOOL RESEARCH ETHICS
COMMITTEE TO UNIVERSITY RESEARCH ETHICS COMMITTEE Research ethics approval is essentially a matter devolved to School-level committees and individuals. However, research ethics approval can be sought from UREC when a decision cannot be made at School-level or sufficient expertise can only accessed by accessing UREC.
7. TRAINING
UREC will agree the research ethics training needs for the University. Academic
Leadership & Development is responsible for all research-related training and development opportunities and will take a lead in responding to research ethics training needs identified by UREC, drawing on appropriate ethics expertise across the University to develop and deliver any activities and programmes (e.g. RES, Registry, Academic departments, Data Protection Officer etc.). UREC may request reports on activities taking place from Academic Leadership & Development. For Student research, research ethics training, including privacy and data security should be taught as part of the student programmes. Further, it is the responsibility of the supervisor to make the Student aware of the need to design research that complies with the University Research Ethics Policy and wider professional standards and values if applicable.
8. RELATED POLICIES AND PROCEDURES AND FURTHER REFERENCE
Data Protection by Design and Data Protection Impact Assessment Toolkit for Researchers Data Protection Policy Disciplinary Code Disciplinary Policy GDPR and Research Guide
Heriot-Watt University’s Procedures: Research Ethics (v. 1.0)
Version 1.0 : 31 August 2018 Author: University Research Ethics Committee
7
Student Discipline Policy and Procedure University Research Ethics Policy Research Data Management Policy
9. FURTHER HELP AND ADVICE
Questions related to these Procedures should be directed to the Chair of the University Research Ethics Committee or visit: https://intranet.hw.ac.uk/ps/res/Pages/Ethics-Committee.aspx The Chair of UREC can be contacted via [email protected]. A current copy of these Procedures can be found at: http:// (to be inserted) The Data Protection Officer can be contacted via: Phone:+ 44 (0)131 451 3218/3219/3274 Email: [email protected]
10. DEFINITIONS
Animal A vertebrate or invertebrate animal, but does not
include a human being.
Data Controller
An organisation which determines the purposes for which personal data is processed and is legally accountable for the personal data that it collects and uses or contracts with others to process on its behalf. In this context the Data Controller will usually by the University.
Participant A person who serves as a data source for research as a ‘participant’.
Personal data Any information that could be used directly or indirectly to identify a living person
School A primary academic unit of the University devoted to one or more academic discipline.
11. PROCEDURES VERSION AND HISTORY
Version No Date of Approval
Approving Authority
Brief Description of Amendment
V. XX xx.xx.xxxx University Committee for Research and
Innovation
(include a broad summary of changes and detail any policies that have been superseded by
the new document)
Heriot-Watt University’s Procedures: Research Ethics (v. 1.0)
Version 1.0 : 31 August 2018 Author: University Research Ethics Committee
8
APPENDIX 1: An overview of School research ethical approval processes1
1 If you are looking to acquire ethical approval from an external body (e.g. NHS) seek advice from RES. For research involving animals, contact the Animal Welfare and Ethical Review Committee.
Are you conducting research as a member of Staff or Student on
behalf of the University?
YES
NO No
action required
Do you expect your research to be externally funded? NO YES
Go to Worktribe and follow all research ethics prompts
Check School guidance on research ethics
applications/contact School Research Ethics
Officer
Was your application for external research funding
successful?
YES
NO
No action required
Follow instructions from your Worktribe research ethics
reviewer, i.e. blanket approval for your study
should not be assumed and you may be asked to apply to the School for approval once
the details of your wider study and sub-projects have
been fully detailed
Follow instructions from research ethics approver
Heriot-Watt University’s Procedures: Research Ethics (v. 1.0)
Version 1.0 : 31 August 2018 Author: University Research Ethics Committee
9
Appendix 2: Delegated authority of the University Committee for Research and Innovation
UNIVERSITY COMMITTEE FOR RESEARCH AND INNOVATION
University Research Ethics Committee
School Research Committees
Research Degrees Committee
Research Management Committee (Malaysia)
SENATE
Animal Welfare and Ethical Review
Committee
School Research Ethics Committees
Heriot-Watt University’s Procedures: Research Ethics (v. 1.0)
Version 1.0 : 31 August 2018 Author: University Research Ethics Committee
10
APPENDIX 3: Terms of Reference for School Research Ethics committees 1. REMIT
The principle purposes of School Research Ethics Committees are to:
a. oversee the governance of research ethics according to local and specific areas of
research; b. establish and operate ethical review procedures for local and specialised areas of
research; and c. provide guidance and recommendations on research ethics training for Staff and
Students.
2. MEMBERSHIP
The broad membership of committees should reflect the University’s commitment to
equality and diversity via the Athena SWAN initiative. Such committees should aim to base membership on the following positions and forms of representation:
Chair
Deputy Chair
Doctoral Student representative
Appropriate representation from departments/institutes/research centres within the School
Notes: Committees should also draw on the necessary locally available expertise required of a research ethics committee. In certain circumstances, it may be necessary for committees to draw on external expertise, leading to one-off or re-occurring invitations to attend.
3. MEETINGS
Committee meetings should be decided on the basis of the needs of the School.
However, meetings should be planned and advertised a year in advance. Meetings should be arranged to allow reporting to each UREC meeting and, therefore, take place a minimum of two weeks before UREC meetings. School committees should provide a short written report to each UREC meeting. UREC meeting dates can be found at: https://intranet.hw.ac.uk/ps/res/Pages/Ethics-Committee.aspx All such meetings should be clerked and formal meeting minutes made available on the relevant Intranet system.
4. QUORACY
The quoracy for each meeting should be 50 per cent of all members.
Heriot-Watt University’s Procedures: Research Ethics (v. 1.0)
Version 1.0 : 31 August 2018 Author: University Research Ethics Committee
11
APPENDIX 4: Template School research ethics application form including Data Protection Impact Assessment Screening Questions The following should inform the design of School research ethics application forms/process including, where applicable, standard steps taken to ensure research is conducted in compliance with data protection legislation. It may be necessary in some instances to modify this list by either removing irrelevant requests for information, or modified to include further criteria. As the University is a UK Data Controller, the GDPR and the UK Data Protection Act 2018 (data protection laws) apply to all personal data processing by or on behalf of the University,
no matter where in the world that processing takes place. Therefore, the data protection elements of this form should be used for all research projects involving human participants or personal data, including those conducted on the Dubai and Malaysia campuses or by fieldwork internationally. In order to comply with the data protection laws, the University is required to: 1. Implement appropriate technical and organisational measures to apply the data protection principles and integrate these safeguards into research data management plans and processing activities so that we embed privacy by design and default into all of our management of personal data. 2. Carry out a full Data Protection Impact Assessment, (DPIA) for all processing that is likely to result in a high risk to the privacy of individual data subjects (e.g. research participants). This application form will identity whether the DPIA is needed. Completing the DPIA will then help researchers to identify and minimise privacy risks presented by the processing required to achieve the research objectives. 1 To be completed for all projects
a. State the title of the proposed project.
b. State the question to be answered and the value of answering it.
c. Give an outline of the proposed project, including the procedures to be used, the
measurements to be made and how the data will be analysed.
d State the likely duration of the project and the premises in which it will be undertaken.
e State the personal experience of the applicant in the field of investigation concerned.
f. State any ‘interest’, i.e. of profit, personal or departmental, financial or otherwise, relating to the study.
g. If the project is designed to test a drug or appliance, state its exact regulator status.
h Testing Medicines – Is the study sponsored by an industrial company? If so, please give details. What arrangements, if any, for compensation in the event of injury to participants (where there is neither fault, nor strict liability under the Consumer Protection Act, have been made)?
i State whether animals are involved in any stage of the research project and if so give details.
Heriot-Watt University’s Procedures: Research Ethics (v. 1.0)
Version 1.0 : 31 August 2018 Author: University Research Ethics Committee
12
j State whether the research data will be received or created under conditions of confidentiality e.g. data received in confidence from a funder, sponsor or partner, that may be confidential for commercial, safety, national security reasons; a trade secret or due to inherent intellectual property rights, e.g. a patentable invention. If the data were lost or disclosed how would this affect the success of a research project, research income, REF outputs or knowledge transfer?
k Explain the organisational and technical security measures that will be applied to protect the data from accidental or deliberate unauthorised disclosure, loss or alteration from the point of creation through its lifecycle. If the data is to be processed or stored by a third party e.g. a cloud data storage company, application provider, market research company translator or transcriber, confirm that due diligence has been completed and a University data processor agreement is in place.
l
State how long you intend to keep research data, referring to any funder’s requirements as appropriate. Do you intend to destroy the data securely once the project is completed/assessed, or is there a need to retain the data for a longer period for independent validation or for reuse?
2 Data protection and personal data If the proposed project involves human participants or using personal data from other sources, the research ethics application also requires questions regarding data protection. Personal data is any information about people who can be identified from that information or in combination with other information. Please seek advice from the Data Protection Officer via [email protected] if you have any queries.
a.
State the type of participants who will be involved, how they will be recruited, whether they are in a dependent relationship with the investigator, e.g. Student, Please see 3b below about vulnerable participants
b Provide details of any payments (financial or in kind) to participants,
c Specify any other data subjects whose data will be obtained from third parties for use in the projects and the source of the data, e.g. NHS Scotland or the National Pupil Database.
d Specify the categories of personal data to be processed e.g. name, address, gender, dates of birth, opinions, interactions, etc. Explain why the data is needed and what will be done to minimise the personal data collected, used, stored and retained.
e Specify any pseudonymisation procedures to be applied to reduce security risks to the
data
f Once personal data is completely anonymised so that it cannot be used in combination with any other data to re-identify a person, it ceases to be personal data. If it is possible to anonymise the data without compromising the project, specify how and when this will be done.
Heriot-Watt University’s Procedures: Research Ethics (v. 1.0)
Version 1.0 : 31 August 2018 Author: University Research Ethics Committee
13
g. State the way the participants’ informed consent to participate will be obtained.
h Specify the data controller for personal data processed in the course of the project. This is normally the University, unless the data is processed under contract to or in partnership with another organisation.
h In order to process personal data lawfully, the University must be able to demonstrate that it complies with one of the conditions set out in Article 6 of the GDPR. Where we process personal data for more than one purpose, a lawful condition must be identified for each purpose. The lawful condition provides the legal basis for processing. Please state the legal basis for processing the personal data obtained in the course of the project. This legal basis will also need to be stated in the privacy notice for participants. The legal basis will normally be either
1. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
This applies to the University because our Royal Charter gives the University the authority to conduct academic research. This legal basis should be used for most projects and where
The project involves a team
The project extends over several years (other than individual PhDs)
Working with large datasets especially pseudonymised data
This is a condition of funding or use of data from third parties
There is a need to retain the data after the project ends, for independent validation or for reuse e.g. for longitudinal studies or by the team or other researchers for different research purposes,
Or:
2. The data subject has given consent to the processing of his or her personal data for one or more specific purposes
This should be used
For short term projects, e.g. student dissertations
Where withdrawal of consent will not impact on the project
Where there is a professional ethical code requiring consent for processing throughout the project (e.g. the British Psychological Society Code of Human Research Ethics)
If a participant subsequently withdrew their consent, explain the impact on the project and how you would manage this.
i. Attach letters or information sheets to participants including privacy notices (which must be in simple, non-technical language), copies of advertisements or any other recruiting matter for healthy or patient volunteers, etc. If it is not possible to provide participant information, e.g. if the project involves an observational study of people who may not be aware that they are being observed, please explain here.
3. Data Protection Impact Assessment screening questions
The research ethics approval process should also include a DPIA for research that presents a potentially high risk to privacy. Forms are required to be designed to state whether the project involves any of the following. If so, a data protection impact
Heriot-Watt University’s Procedures: Research Ethics (v. 1.0)
Version 1.0 : 31 August 2018 Author: University Research Ethics Committee
14
assessment will need to be completed. Please seek advice from the Data Protection Officer. Details of the DPIA for research projects are published here.
a The project involves processing special categories of personal data (sensitive personal data). This means personal data about one or more of the following: racial or ethnic origin; political opinions; religious of philosophical beliefs; trade union membership; physical or mental health; sex life or sexual orientation; proven or alleged offences. If so please give details.
If your project involves processing special categories of personal data you will need to satisfy a specific condition under Article 9 of the GDPR. You must still also have a lawful basis for your processing under Article 6 of the GDPR, in exactly the same way as for any other personal data. Please note that processing personal data about criminal convictions is subject to additional restrictions under the GDPR and will also require a separate DPIA. If your project involves processing this data please specify this here.
YES/NO
b Personal data will be collected from participants or other data subjects (where data is collected from third parties) who are especially vulnerable, such as children, people with learning disabilities, patients, homeless people, refugees, people who lack capacity to consent etc.
YES/NO
c Detailed profiles of individuals; including information about personal life, work performance or salaries or any other personal information that would cause significant damage or distress to that person if disclosed without their consent
YES/NO
d Systematic monitoring, which would include processes which observe, monitor or control individuals. This includes data collected from networks and monitoring of public areas (such as CCTV), or monitoring posts and interaction on social media channels; i.e. situations where a person may not be aware who is collecting this information about them and how their data might be used. This may include researchers observing interactions in person for ethnographic studies, depending on the overt or covert nature of the research, the degree of intrusion involved and ultimately what personal data is recorded for the research.
YES/NO
e Any use of technology which might be perceived as being privacy intrusive. Depending on the nature of the research these may include for example, the use of biometrics or facial recognition, some uses of artificial intelligence (AI), big data analytics - the combination and analysis of data from different sources to profile individuals in a way they would not expect.
YES/NO
f The project requires you to contact individuals in ways that they may find intrusive.
YES/NO
g Participation in the project is mandatory and participants are compelled to provide personal information about themselves?
YES/NO
h There are potential hazards to participants (including personal security or deception), Please provide details. Their estimated probability (if possible) and the precautions to be taken to meet them.
YES/NO
Heriot-Watt University’s Procedures: Research Ethics (v. 1.0)
Version 1.0 : 31 August 2018 Author: University Research Ethics Committee
15
h. The project involves procedures which may cause discomfort or distress to participants. Please provide details of the procedures and the degree of discomfort or distress entailed and their estimated probability of harm.
YES/NO
i. Where the participant’s general practitioner is to be informed of the recruitment of the participant before the study begins, state whether the participant’s informed consent to such information being passed on is a condition of participation.
YES/NO
j If the project will result in you or others making decisions or taking action against individuals in ways which can have a significant impact on them.
YES/NO
k The project involves processing personal data outside the European Economic Area (including the use of non-EU based cloud or other data centres, software or applications) unless one of the following safeguards is in place:
YES/NO
A. The European Commission (EC) has designated the country as
providing an adequate level of protection for privacy
YES/NO
B. The organisations processing the data has signed a data
processor/data sharing agreement with the University including the EU
standard contractual clauses for international data transfers
YES/NO
Outcome of DPIA screening process
Does this project require a DPIA? Yes No
If no, please complete the information risk management checklist in the Annex to this questionnaire as part of the research data management plan. If yes please send this screening form to Data Protection Officer via [email protected] for advice on completing the DPIA.
Heriot-Watt University’s Procedures: Research Ethics (v. 1.0)
Version 1.0 : 31 August 2018 Author: University Research Ethics Committee
16
Appendix 5: Information Risk Management Checklist
Please complete this section if your project involves collecting or using personal data but you have answered NO to all questions in Part 1.3
Project: Proposed Implementation Date: Project Supervisor: Date of initial review: Version control:
Data management and security
Describe the information flows A flow diagram may also be included to explain the data flows.
Why will the information be collected/used?
What information will be processed (i.e. types of data, specifying any special categories of personal data and any other high risk personal data including financial or location data)?
How many individuals will be affected?
Who will collect the information?
Will any information be sent outside the Heriot-Watt Group and its computer networks? i.e. not processed and stored on University managed IT systems. These are the Heriot-Watt University Office 365 account, R drive etc. If so please give details of security controls in place
If the data is to be processed by a contractor, partner or other third party on behalf of the University including transcription services, IT systems and data hosting services please provide details of the following: Signed HWU data processor/data sharing agreement or one conforming to equivalent GDPR standards. Details of relevant security certifications held by the contract e.g. PCI-DSS or ISO 287001. If applicable; Contactor’s information security and privacy policies.
Heriot-Watt University’s Procedures: Research Ethics (v. 1.0)
Version 1.0 : 31 August 2018 Author: University Research Ethics Committee
17
You can check if the contractor you plan to use is already a data processor for the University by emailing [email protected]
How will the information be collected (e.g. electronically, on paper or both)? Please describe the security controls to be applied to this process.
How will information be secured in transit? (e.g. Encryption)
How will the information be stored (e.g. IT system used, database, filing cabinet)?
Please describe the security controls to be applied to control access on a business need to see basis.
How will the information be destroyed when no longer needed (e.g. secure erasure, cross cut shredder, confidential waste disposal)?
Who will need to have access to the information (e.g. list individuals and staff groups)? Please describe the security controls to be applied to control access on a business need to see basis.
With whom will the data be shared (e.g. individuals, third parties)? Please describe the security controls to be applied to control access on a business need to see basis.
What records retention policy will be applied to the data and who is accountable for implementing the policy? Explain whether the data will be destroyed at the end of the project, retained for x months/years in line with funders requirements or for reuse/’ independent validation.